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We give a security proof of quantum cryptography based entirely on entanglement 
purification. Our proof applies to all possible attacks (individual and coherent). It 
implies the security of cryptographic keys distributed with the help of entanglement- 
, based quantum repeaters. We prove the security of the obtained quantum channel 

^ I which may not only be used for quantum key distribution, but also for secure, albeit 

^ Q ' noisy, transmission of quantum information. 

1^ . 

^ I Quantum cryptography (QC) promises the security of data transmission against any 

eavesdropping attack allowed by the laws of physics. The first QC protocol was described 
^ ! by Bennett and Brassard as early as 1984 Later, in 1991 Ekert presented a scheme based 
\ on Bell's theorem [0]. Though the security of these protocols is easy to prove under ideal 
•/^ ■ conditions, a lot of work has been spent to prove the security under realistic circumstances. 
^ ■ In all QC protocols, a possible eavesdropper is identified because of the disturbance that he 
O ■ or she introduces when trying to gain information about a quantum state that is transmitted. 
^ I The problem is that every quantum channel introduces innocuous noise itself, which cannot, 

■ in principle, be distinguished from noise introduced by an eavesdropper. For that reason, a 
p • proof of unconditional security of QC has to assume that all noise in the channel is due to 

! the interference of an eavesdropper. 
Ch I Two different techniques have been developed to deal with these difficulties: Classical 

^ ' privacy amplification allows the eavesdropper to have partial knowledge about the raw key 
O^' built up between the communicating parties Alice and Bob. From the raw key, a shorter 
^ ! key is "distilled" about which Eve has vanishing (i. e. exponentially small in some chosen 

I security parameter) knowledge. Despite of the simple idea, proofs taking into account all 

■ eavesdropping attacks allowed by the laws of quantum mechanics have shown to be techni- 
cally involved ^, §]. Recently, Shor and Preskill have given a simpler physical proof 
relating the ideas in 0, § to quantum error correcting codes |0, |]. Quantum privacy ampli- 
fication (QPA) 1^, on the other hand, employs an entanglement purification |10, 11] protocol 
that eliminates any entanglement with an eavesdropper by creating a few perfect EPR pairs 
out of many imperfect (or impure) EPR pairs. In principle, this method guarantees security 
against any eavesdropping attack. However, the problem is that the QPA protocol assumes 
ideal quantum operations. In reality, these operations are themselves subject to noise. As 



shown in ||12| , |T3|, |14[ , there is an upper bound F^^x for the achievable fidelity of EPR pairs 
which can be distilled using noisy apparatus. A priori, there is no way to be sure that there 
is no residual entanglement with an eavesdropper. This problem could be solved if Alice 
and Bob had fault tolerant quantum computers at their disposal, which could then be used 
to reduce the noise of the apparatus to any desired level. This was an essential assumption 



in the security proof given by Lo and Chau |T3|. 



In this paper, we show that the standard two-way entanglement purification protocols 
alone, with some minor modifications to accomodate certain security aspects which will be 
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discussed below, can be used to efficiently establish a perfectly private quantum channel, even 
when both the physical channel connecting the parties and the local apparatus used by Alice 
and Bob are noisy. This is of particular interest because, as we show, the security threshold 
for the noise-level of the apparatus practically coincides with the purification threshold, 
so that the methods used for long-distance quantum communication, using entanglement- 
purification-based quantum repeaters |T3[ can be used for secure quantum communication 
without any further requirements. In particular, no fault tolerant quantum computers are 
required. This goal is achieved by proving that the final state of the protocol factorizes 
into a product state of the eavesdropper on one side, and Alice, Bob and their laboratories 
(apparatuses) on the other side. Colloquially speaking, we prove that Eve is factored out 
under the action of the purification protocol, i. e. the finite fidelity at the end of the protocol 
is only due to entanglement with the apparatus. Our proof applies to all possible attacks 
(individual, collective, and coherent) and can be utilized directly in long-distance quantum 
communication. Different from existing work, we (i) prove the security of the entire quantum 
channel, (ii) do not require fault tolerant quantum computers, and (iii) our results have 
practical relevance, as the accuracy of the apparatus used by Alice and Bob may be about two 
orders of magnitude lower than the threshold accuracy for fault tolerant quantum computers 
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The scenario is the following. Initially, Alice and Bob share a numbered ensemble of 2A'' 
qubits {(fli, bi), . . . , (oat, &7v)}, qubits on each side, where A^ is large. Most generally, the 
state they obtain can be written in the form 

where \bI^/''^^), fij = 00, 01, 10, 11 denote the 4 Bell states associated with the two particles 
aj and 6,. Specifically, \Boo) = |$+) = (|00) + |11)) /v^, |i3oi) = |^+) = (|01) + |01)) /v^, 
|i3io) = 1$-) = (|00) - 111)) /v^, l-Bii) = 1^-) = (|01) - |10))/v^. The qubits have been 
distributed through some noisy channel, which may also include repeater stations involving 
additional qubits |12]. In general, (0) will be an entangled state of 2A^ particles, which allows 



for the possibility of so-called coherent attacks [O]. This state may be used to establish a 



perfectly secret quantum channel, given that there is one Bell state, say li^oo), such that 
^g(aj6j)|^^^^jg(aj6j)^ > Fmin > 1/2 for the rcduccd density operator of every pair of qubits 
(oj, bj), where the exact value of -Fmin depends on the noise parameters of Alice's and Bob's 
apparatus |]T2|, 11^ . 



Upon reception of all pairs, Alice and Bob apply the following protocol to them. Note 
that steps 1 and 2 are only apphed once, while steps 3, 4, and 5 are applied recursively. 
Step 1: On each pair of particles {aj,bj), they apply randomly one of the four bi-lateral 

Pauli rotations o"^"^'' cr^^^\ where k = 0,1,2,3. 

Step 2: Alice and Bob randomly renumber the pairs, {aj,bj) {(^n{j),bTT(j)) where vr(j), 
j = 1, . . . , A^ is a random permutation. 

Steps 1 and 2 are required in order to treat correlated pairs correctly. Note that steps 1 
and 2 would also be required — as "preprocessing" steps — for the ideal protocol , if one 
requires that the protocol converges for arbitrary states of the form (|I|) to an ensemble of 
pure EPR states. While in |^ it is possible to check whether or not the protocol converges 
to the desired pure state, by measuring the fidelity of some of the remaining pairs, this is 
not possible when imperfect apparatus is used. Since the maximum attainable fidelity F^ax 
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is smaller than unity, there is no known way to exclude the possibility that the non-ideal 
fidelity is due to correlations between the initial pairs. In both steps Alice and Bob discard 
the information which of the rotations and permutations, respectively, were chosen by their 
random number generator. Thus they deliberately loose some of the information about the 
ensemble which is still available to Eve. After step 1, their knowledge about the state is 
summarized by the density operator 

which corresponds to a classically correlated ensemble of pure Bell states. Since the purifica- 
tion protocol that they are applying in the following steps maps Bell states onto Bell states, 
it is statistically consistent for Alice and Bob to assume after step 1 that they are dealing 
with a (numbered) ensemble of pure Bell states, where they have only limited knowledge 
about which Bell state a specific pair is in. The fact that the pairs are correlated means that 
the order in which they appear in the numbered ensemble may have some pattern, which 
may have been imposed by Eve or by the channel itself. By applying step 2, Alice and Bob 
[i) deliberately ignore this pattern and (ii) randomize the order in which the pairs are used 
in the subsequent purification steps. For all statistical predictions made by Alice and Bob, 
they may consistently describe the ensemble by the density operator |^ 

J2P>^\B,){B,\j =(p..)^^ (3) 

in which the describe the probability with which each pair is found in the Bell state {Bn). 
At this point, Alice and Bob have to make sure that poo = F > F^[^ for some minimum 
fidelity -Fmin > 1/2? which they can do by statistical tests on a certain fraction of the pairs. 
Next, Alice and Bob apply one of the standard purification protocols as described in |^, TU 



For simplicity, we concentrate on the protocol given in [0; for other recurrence protocols, a 
similar proof could be given |^ . The protocol uses these steps: 



Step 3 : Bi-lateral rotations 1/2 (1*^"^ — iai""^) ® (1*^^^ + iax^) are applied to all pairs (a, b). 



Step 4 
Step 5 



To all pairs of pairs a bi-lateral CNOT operation (BCNOT) is applied. 

The target pair of the BCNOT operation is measured on both sides in 2;-direction. 



If the measurement results coincide, the control pair is kept, otherwise it is discarded. 



Since Alice and Bob use imperfect apparatus, it has been shown |T^, [Tj] that these 
protocols converge towards a mixed-state ensemble p[^^ with a maximum attainable fidelity 
-^max < 1. If the fidelity of the local operations is moderate, the value of -Fmax could be quite 
low (80%, as an example). 

In the following we will show that, despite of such a poor attainable fidelity, Alice and 
Bob may happily proceed to apply the purification protocol to establish a secure quantum 
channel ||22|. We show that, as F ^ i^max, the entanglement of the ensemble with the 



eavesdropper is reduced exponentially fast with the number of purification steps. In each 
step of the protocol, we assume that the apparatus they use introduces errors described by 
the following map p3| 

3 

PAB - ^^^?^^^'VaB^^V(^) , (4) 

fi,u=0 
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where a and b denote the qubits which are acted upon locally. The /^i, can be interpreted 
as the joint probability that the Pauli rotations and a^, are applied to qubits a and b, 
respectively. Eq. (|[) includes, for an appropriate choice of the coefficients f^^, the one and 
two qubit depolarizing channel and combinations thereof, as studied in [1^ , but is more 
general. 

It is possible to include the laboratories degrees of freedom in the description. Noise of 
the form (^) can be attributed to some interaction with the apparatus, which is described 
by a map 

fi,u=0 

This map explicitly accounts for the state of the apparatus before and after the interaction. 
The states \e^^) are pairwise orthogonal and have the norm {e^^\e^^) = f^y. It is impor- 
tant to note that the laboratory degrees of freedom \e^i,) can, in principle, be identified in 
any physical environment that generates noise of the form (^, if the specific interaction 
Hamiltonian is known. 

For our purpose, however, the physical details of the environment are of no concern, and 
we may replace the real process by the following scenario, where both Alice and Bob have a 
"little demon" (L) in the laboratory. For simplicity, we concentrate on the demon in Alices 
laboratory only. Note that the generalisation to noise in both labs is trivial. Before every 
purification step, the demon applies randomly one of the sixteen rotations cr^"'' ® ot^ to the 
qubits involved it this step, and keeps a record of which rotations he chose. For example, 
in the case of uncorrelated white noise (depolarizing channel), it leaves each qubit in its 
state (ctq = /) with some probability /o, but rotates its state by with equal probabilities 
f - 

jj 3 ■ 

By doing this, the demon may accumulate a record of all errors in the history of each 
qubit throughout the process. Instead of keeping track of this growing list, he updates in 
each purifications step a single flag = [if] that is associated with each of the pairs. The 
aim of the error fiag is to keep the information required for "undoing" the random rotations 
that occured in the history of each pair. Note that, while this can be done trivially for 
unitary networks, the situation is quite different with the QPA destination protocol, which 
includes measurements. For the proof, we show that there exists a flag update junction - 
as discussed below - which enables the lab demon at any time of the protocol, to assign 
each of the pairs to one out of four subensembles of the total ensemble of pairs and to keep 
track of each of these subensembles seperately. Technically, the flag consists of two classical 
bits, called the error phase bit % and the error amplitude bit j. The update is done in the 
following way: If a Ox [pz-, o'y) error occurs, L inverts the error amplitude bit (error phase bit, 
both error bits). Whenever Alice and Bob agree publicly to keep a control pair Pi (because 
of coinciding measurement outcomes on the target pair P2, see step 5 of the protocol), L 
calculates a function of the error flags of Pi and P2 that updates the flag of Pi. The function 
is shown in table |. Note that the error flag which belongs to a pair is, by construction, 
only a function of the error records. It is important to realize that, what the lab demon is 
doing is not quantum error correction, as he is not applying any correction operation on the 
qubits in the course of the entire protocol. Instead of calculating the flags during the run of 
the protocol, they could equally be calculated after the protocol is flnished. 

As mentioned earlier, at each puriflcation step, the lab demon divides the total ensemble 
into four subensembles pj^g corresponding to the value {ij) of the error flag. Initially, before 
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I'nn'i I'ni'i I'in'i (^^\ 

[UU) [UL) {lU) {11) 


(00) 
(01) 
(10) 

(11) 


(00) (00) (00) (10) 
(00) (01) (11) (00) 
(00) (11) (01) (00) 
(10) (00) (00) (00) 



TABLE I: The value (phase error,amphtude error) of the updated error flag of a pair that is kept 
after a QPA step, given as a function of the error flags of Pi and P2 (left to right and top to 
bottom, respectively). 



the QPA protocol starts, he assigns some random or fixed values to the labels, while the 
subensembles are all in the same state. That is, the error fiags and the states of the pairs 
are initially completely uncorrelated. It is noteworthy that Bell diagonality of the states 
p^g = Afe) |i3oo)(i3oo| + Sfe) + \Boi){Boi\ + D('^^ \Bio){Bio\ is preserved. This 

is due to the fact that all operations in the protocol map Bell states onto Bell states. 

In the following, we analyse the purification process in terms of these four different 
subensembles p^^. In total, we have to keep track of 16 coefficients that occur in the 

expansion of each of the p^g in the Bell basis. These coefficients after the {n + l)-th QPA 
step are functions of the coefficients after the n-th QPA step: 

4(00) . 4 (00)/ 4 (00) 4(01) r)(ii)N 

4(01) , 4(01)/ 4(00) 4(01) r)(ll)N 

(6) 

n(ii) ^ n(")|'4(oo) 4(01) d^^^)\ 

The explicit form of the 16 recurrence relations (P) can be given, but they are rather 
lengthy. They imply a reduced set of 4 recurrence relations for the quantities An = 
An''\ . . . ,Dn = Dn-^^ which describe the evolution of the total ensemble un- 
der the purification protocol. For n — ^ 00, these quantities converge towards a fixpoint 



{Aoo, -Boo; Coo; -^oo) whcrc A^o = -Fmax IS the maximal attainable fidelity [Ol. Different from 
the fidelity = A^, we define the conditional fidelity F™°<^ = aT^ + + + 
This is the fidelity of the ensemble that Alice and Bob could attain, if the lab demon dis- 
closed the error fiags (or, for that matter, only the history of the random rotations, from 
which the fiags can be calculated): Depending on the error fiag of a pair, Alice could then 
choose a local rotation that transforms the pair into the Bell state |i3oo) with probability 

^cond 

Evaluation of the recurrence relation yields that there are three different regimes of noise 
parameters: In the high- noise regime (low values of /oo); no purification is possible; the 
protocol converges to completely depolarized pairs. In the low-noise regime (high values of 
/oo); the protocol purifies and the conditional fidelity converges to unity: the protocol is in 
the security regime. Between these two regimes, just above the purification threshold, there 
exists a very narrow third regime: The protocol purifies, while the conditional fidelity does 
not converge to unity. It is not known whether or not secure communication is possible in 
this regime. For the depolarizing channel, for example, the intermediate regime is contained 
in the interval /o G (0.8983,0.8988), while the security regime covers the entire interval 
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FIG. 1: The fidelities F and -Fcond as a function of the number of steps in the QPA protocol 
(analytical results (lines) and Monte Carlo simulation (circles)). For the calculation, one and two- 
qubit white noise with a noise fidelity of 97% has been assumed. The Monte Carlo simulation 
was started with 10'' pairs; the numbers indicate how many pairs are left after each step of the 
purification protocol. This decreasing number is the reason for the increasing fluctuations around 
the analytical curves. 



/o G [0.8988,1]. The security regime thus coincides, for all practical purposes, with the 
purification regime, but it is interesting to see that these regimes are not strictly identical. 
It shows that the process of factorization is, in the situation of imperfect apparatus, not 
trivially connected to the process of purification. More details about these regimes will 
be published elsewhere. When the protocol is in the security regime, both the fidelity Fn 
and the conditional fidelity F^^"^ reach their respective fixpoints exponentially fast with the 
same exponents (see Fig. |^). From this it follows that there exists a polynomial relation 
between the resources used in the purification process (number of initial pairs) and the 
security parameter 1 — F'^"^'^. All results obtained from the evaluation of the recurrence 
relations (^ were also checked with the help of Monte Carlo simulations, in which the QPA 
protocol was applied to typical ensembles of Bell states. 

Our results imply that the error flags and the states of the subensembles become strictly 
correlated during execution of the purification protocol: The subensemble [ij) ends in the 
state \Bij). In other words, the "little demon" has acquired complete knowledge about the 
states of all pairs after sufficiently many purifications steps; the system consisting of the 
pairs and the lab is thus in a pure state. Now the same argument as in applies: a system 
in a pure state cannot be entangled with any other system — any eavesdropper is factored 
out, as his or her entanglement with the pairs is lost. 

This proof can be extended to more general noise models if a slightly modified protocol is 
used, where step 1 is repeated after every distillation round p4| . This effectively regularises 
any type of local noise process to a process of the type (H) that conserves the Bell diagonality 
of the ensemble, for which we can apply the lab-demon interpretation [25|. 

The fact that the security regime of the protocol almost coincides with the purification 
regime is of strong practical interest because it implies that EPR pairs distributed over long 
distances with quantum repeaters can be used for secure quantum communication without 
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FIG. 2: Foo — Fn and 1 — F™"*^ plotted logarithmically against the purification step n. The 
parameters are the same as in Fig. 



any additional effort 

To summarize, Alice and Bob obtain, with the help of a standard entanglement purifi- 
cation protocol, entangled EPR pairs. These pairs have a limited fidelity F < Fmax < 1 
which depends on the noise introduced by local operations in their laboratory. Alice and 
Bob may nevertheless use these pairs for secure quantum- or classical communication, e. g. 
teleportation |18| or key distribution. At this stage, no further security tests are necessary. 
Since we have shown that there exists no residual entanglement with an eavesdropper, they 
may use all the pairs for the key! While there may be a significant error rate in the message, 
Alice and Bob are allowed to apply classical error correction to the transmitted message 
without disclosing any valuable information to Eve. 
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